SB2024030433 - Ubuntu update for nodejs 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024030433

SB2024030433 - Ubuntu update for nodejs

Published: March 4, 2024

Security Bulletin ID SB2024030433
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Resource management error (CVE-ID: CVE-2023-23919)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to in some cases Node.js does does not clear the OpenSSL error stack after operations that may set it. A remote attacker can trigger false positive errors during subsequent cryptographic operations on the same thread and perform a denial of service (DoS) attack.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-23920)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to application insecurely loads ICU data through ICU_DATA environment variable with elevated privileges. A remote user can gain access to potentially sensitive information.


3) Resource management error (CVE-ID: CVE-2023-2650)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when processing OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS subsystems with no message size limit. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References